Counterfeit products are a duplicate or an imitation of legitimate branded products which infringe upon a production monopoly held by an individual or a corporation. Counterfeit products are produced with the intent to bypass the legitimate brand owner's monopoly and take advantage of the high market value of branded products. Counterfeit products frequently include clothing, software, pharmaceuticals, watches, electronics, recreational equipment and other branded goods resulting in patent infringement or trademark infringement.
Some pharmaceutical products have such high sales price points that counterfeiters can easily recoup the cost of duplicating complex packaging details, including security seals. Some common prescription drugs retail for $20 per dose, other medicines can cost cancer patients over $300 per day. Any and all safety and security measures can be duplicated by counterfeiters that don't have to bear the development and marketing costs. Many commercial brand owners incur enormous losses to counterfeiters.
The production and distribution of counterfeit products is difficult to measure, but official estimates are from 5 to 7% of the entire world's trade. Hundreds of billions of U.S. Dollars of international trade account for losses to brand owners. Counterfeit consumer goods, especially products that bear highly desirable brand marks and command high retail values usually originate in parts of the world where low labor rates prevail and cultural attitudes tolerate and even approve of the illegal activity. In many cases foreign workers and managers of production have little or no loyalty to the brand owner. With the means of legitimate production in their hands, there has been little to prevent them from distributing those products in a manner to reap higher profits. Counterfeiters do not have to amortize the costs of product development and advertising that boosts the value of the branded products. To achieve their objectives, counterfeiters bypass the brand owner's approved channels, often marketing directly to consumers. Since counterfeiters have a lower cost structure, they offer prices that are below prices on products that are delivered through approved distribution channels with their associated pricing policies. Sales of counterfeit products are driven by consumers that want a good deal.
Counterfeiters are deceptive; they attempt to either deceive consumers into thinking they are purchasing a legitimate item, or to convince the consumer that they could deceive others with a counterfeit product. Some counterfeits products are made in the same factory that produces the original, authentic product, using the same tooling, procedures, and materials. Owners and operators of a factory run a counterfeiting operation within their own four walls without the permission of the trademark owner. Excess product is produced and distributed without the use of anti-counterfeiting measures making it impossible to distinguish a ‘perfect’ counterfeit from the authentic product.
Radio frequency identification (RFID) means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or other data stored on it. Assuming certain criteria are met, as disclosed in the present invention, RFID can be used as part of a comprehensive item identification tool to combat counterfeiting.
An RFID tag or ‘tag’ or ‘transponder’ means either an RFID device having the ability to produce a radio signal or an RFID device which re-couples, back-scatters or reflects (depending on the type of device) and modulates a carrier signal received from a reader, writer, or encoder.
EPCglobal Gen2 RFID tags would have been the perfect universal badge of authenticity that any product made anywhere in the world could bear in order to distinguish a perfect counterfeit from an authentic product. However, the Gen2 RFID tag lacks a crypto engine because it was deemed to require too many transistors and too much power to operate as a passive RFID tag. Lacking this, brand owners have been presented with an unsatisfactory means of preventing duplication of Gen2 tags that would at face value been an unambiguous indication of the true authenticity of a product that appears to be one of theirs. Instead of providing an electronic badge of authenticity, Gen2 system architects decided to move the authentication process to a system of globally interconnected computers servers. The operation of and data shared by each server is under the control of each trading partner. They decide what information is provided for any information query.
Thorsten Staake of the Institute of Technology Management, University of St. Gallen, Auto-ID Lab and M-Lab St. Gallen/Zurich called for a cryptographic solution for securing EPC RFID tags in February 2005 in his presentation entitled: Extending the EPC Network—The Potential of RFID in Anti-Counterfeiting. Staake claims that counterfeit products are responsible for 192,000 deaths in China in 2001 because of fake drugs, fake baby formula has caused infants to develop rashes and seizures, 1 Million counterfeit birth control pills have caused unwanted pregnancies, Indian hospital patients die from counterfeit glycerin, counterfeit bolts are blamed for a Norwegian air plane crash that killed 55 passengers, malfunctioning counterfeit parts were discovered in $7 million worth of open heart surgery pumps, 7 children died when their bus crashed because of fake brake pads, counterfeit shampoo was found to contain harmful bacteria, risk of explosion is high in counterfeit batteries. Staake stated that “Problems occur when simple RFID Tags are duplicated”, and went on to recommend extensions to the existing EPC architecture for tags that made use of challenge-response authentication whereby a challenged tag can prove that it holds a secret without directly disclosing that secret.
Staake was correct in every aspect except that he made an unstated but critical assumption regarding the authentication process. His assumption was that the queries of secure RFID tags were often made in conditions where there was risk of eavesdropping by untrustworthy observers. It would only be under such conditions that it would be necessary to use cryptographically secure on-tag resources to securely prove authenticity. This distinction is further explained in the body of this patent specification.
Daniel Vernon Bailey and Ari Juels explain this in terms of the ease of ‘skimming’ in their U.S. Patent Application Publication Number 20070194889 wherein they state that:                Certain commercial segments, like the pharmaceutical industry, are coming to view EPC tags as an anti-counterfeiting tool. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though, as they possess no explicit authentication functionality. The EPCglobal standards prescribe no mechanism for EPC readers to authenticate the validity of the tags they scan. An EPC tag emits its EPC promiscuously, i.e., to any querying reader. Readers accept the validity of the EPCs they scan at face value. Thus, EPC tags are vulnerable to counterfeiting or other types of cloning attacks.        An attacker can learn an EPC tag's essential data, its EPC, simply by scanning it or by gaining access to an appropriate tag database. The term “skimming” is used herein to denote the process of scanning an EPC tag to obtain its EPC for the purpose of cloning the tag. Furthermore, if the unique identifiers in a manufacturer's EPCs are not random, e.g., if they are sequential, then an attacker that sees an EPC on one item can guess or fabricate another valid EPC. In brief “identity theft” of EPC tags is a straightforward matter because EPCs are data objects that are easily separable from EPC tags.        Although EPC tags carry no explicit mechanisms for authentication, they do possess some data security features. The description herein will make reference to basic and enhanced EPC tags. A basic EPC tag is one that carries only the mandatory features of the EPCglobal standard, while an enhanced EPC tag additionally includes an access-control function that is optional in the EPCglobal standard. Basic EPC tags have only one significant security feature, namely a privacy-enhancing kill command. When an EPC tag receives this command, it “self-destructs”, which is to say that it renders itself completely and permanently inoperable. To protect against accidental or malicious killing of tags, the kill command only takes effect when accompanied by a valid password, referred to as a personal identification number (PIN). In the EPCglobal standard, the kill PIN is 32 bits in length.        With regard to enhanced EPC tags, such tags respond to a command called access, whose implementation is optional in the EPCglobal standard. When accompanied by a valid 32-bit access PIN, the access command causes a tag to transition into what is called a “secured” state. Tags may be configured such that certain commands only function when a tag is “secured.” In particular, read access to the memory banks for the access and kill PINs may be made dependent on an EPC tag being “secured.” The standard supports no PINs other than the access and kill PINs.        In consequence, although the EPC of a tag may be readily skimmed, a properly configured EPC tag does not promiscuously emit its PINs. Thus the PINs are resistant to skimming.        
Bailey and Juels describe an application of the Access Password to transition to the secured state to expose the EPC Kill Password, thus providing for a skim-resistant EPC RFID tag without modification to the hardware. This application is also described by Mohammad Soleimani and Joseph White of Symbol Technologies in U.S. Patent Application Publication Number 20080001724 which was filed 31 Jul. 2006, which is more than a year before Bailey and Juels' August 2007 filing date. Soleimani and White disclose the same concept of using the EPC Access Password to expose a shared secret. It is important to note that this is merely an application of the EPC Air Interface Specification that was developed in mid-2004 by an industry-wide group of thought leaders. Jaemin Park, Junchae Na and Minjeong Kim also wrote an IEEE paper entitled “A Practical Approach for Enhancing Security of EPCglobal RFID Gen2 Tag” that describes access to the Kill Password as a shared secret and an associated method of changing the shared secret on each and every access of the tag.
In cryptography, a shared secret is a piece of data only known to the parties involved in a secure communication. The shared secret can be a password, a passphrase, a cryptographic pseudonym, a big number or an array of randomly chosen bytes.
Ari Juels explains cryptographic pseudonyms in his U.S. Pat. No. 7,532,104 for low-complexity RFID tags that use pseudonyms between tags and readers as a way of improving upon the existing EPC tag's open promiscuity.
Claus Wonnemann and Jens Strüker of Department of Telematics at the Albert-Ludwigs-Universität Freiburg in Freiburg, Germany write in their IEEE paper that the cover coding of EPC Access and Kill Passwords can be intercepted by an attacker. Cover-coding is the bitwise exclusive OR (XOR) of a pseudo-random number that is generated by an EPC Class 1 Gen 2 RFID tag. Wonnemann and Strüker state that even though the backscattered signal strength of an EPC tag is very low, an attacker with a beam antenna and an interrogator operating at full power could expose the backward channel to an attacker whereby exposing the pseudo-random number that is used to hide the secret codes while they are being read or written.
Wonnemann and Strüker state that brute force methods of attacking EPC Class 1 Gen 2 RFID tags require 231 attempts on average. At a rate of 25 attacks per second, cracking the security on each separately locked tag would require 2.7 years for each tag. They also argue that a side channel attack can crack the EPC tag's passwords using techniques described by Oren and Shamir in their IEEE paper Power Analysis of RFID Tags. The main significance of Power Analysis attack is in its implications—any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the read range of tags. Fortunately there are EPC Class 1 Gen 2 tags available that do not have this problem, and still exhibit excellent range at very competitive prices.
An additional anti-cloning feature of Gen2 tags that was somewhat of a deterrent to duplication of legitimate tags was the use of factory-programmed serial numbers in the TID memory bank. For awhile, the chip manufacturers only offered Read-Only Memory (ROM) in the TID bank, making it infeasible for counterfeiters to copy both the EPC and TID of a legitimate RFID tag. It is expected that at least one chip and inlay manufacturer will sell EPC inlays with a reprogrammable TID Memory Bank, making EPC Gen2 tag cloning a simple matter of ‘skimming’ valid number pairs from populations of authentic RFID tags.
In U.S. Patent Application Publication Number 20080001724, Mohammad Soleimani and Joseph White of Symbol Technologies, Inc. disclose a verbose, obvious, and logical extension of the EPC™ Radio-Frequency Identity Protocols, Class-1 Generation-2 UHF RFID, Protocol for Communications at 860 MHz-960 MHz. They disclose a read lock state for a tag that disables that tag from transmitting identifying information from the EPC memory, TID memory, and/or user memory in a manner that mimics the existing read lock functions for the kill and access passwords that are currently defined in that EPC Protocol Specification.
In U.S. Patent Application Publication Number 20090033464 by Ulrich Friedrich the inventor discloses an RFID transponder with controlled access to a tag's memory areas using multiple passwords, locks, and attribute bits. This patent appears to be a useful but unnecessary extension of the existing EPC transponder specification in order to prevent duplication of legitimate RFID tags. In U.S. Patent Application Publication Number 20090033464 Friedrich describes protection of user memory with multiple passwords:                “Memory bank 11 forms the so-called user memory area (user memory), in which any information to be determined by a user can be stored. Memory bank 11 can be partitioned individually by a user into memory subareas I, II, . . . , N and a password area. In other embodiments, partitioning is done by a manufacturer. The individual memory subareas. I, . . . , N can thereby each be assigned an access password.”        
This is in contrast with the present invention which uses the existing EPC specification with a single password to protect User Memory Bank 11.
Friedrich further states that:                “It is conceivable, furthermore, that a potential attacker attempts to read data from a transponder in order to thus duplicate the transponder, for example, to place counterfeit products in circulation or to commit sabotage. Also for this reason it is desirable in many cases that, apart from passwords stored in the transponder, other data are also not freely accessible to all individuals.”        
This is in contrast to the present invention that works on existing RFID tags that are built to EPC specifications whereby the memory banks are all readable, and only the password banks have limited read access as determined by the state of the lock bits.
In U.S. Patent Application Publication Number 20080196106 Ulrich Friedrich discloses another type of EPC tag variant with a shadow memory to hide information that would authenticate RFID tags so long as others could not find the hidden memory locations within the RFID tag.
In U.S. Pat. No. 7,205,897 by Tao Lin, and assigned to SAP Aktiengesellschaft of Walldorf, Deutschland the inventor teaches a method of detecting the presence of counterfeit goods in the auto-ID system based on a determination that progress of the asset through the auto-ID system has not followed the predetermined path. The patent makes use of the well-known EPC Information Services (EPCIS) layer that allows the exchange of EPC data over a network. That is, EPCIS provides a standard format or protocol by which a reader that has identified an EPC number may find and use information about that number and about its associated item. EPCIS is used in this patent to oversee information events and store them in an EPCIS repository. The repository accumulates data over relatively long periods of time during which the data may not be immediately useful to any particular application or device. Generally speaking, a flow of information for a number of objects may be too great for the repository to be practically useful in real-time, particularly given potential network delays. Data queries have access to an Object Naming Service (ONS), which is a look-up service that allows authorized tracking applications to find information about a product, based on the EPC code for that product. The ONS may have different levels of information, which may be classified. The short falls of this method of determining the authenticity of products is very network and server-intensive, and requires an omniscient overseer role to be performed by a global data processing entity. As difficult and impractical as all this may be to implement, it is even more unlikely that retailers will opt to open an EPCIS portal to such an overseer if they believe that it is possible that they would be caught selling counterfeit goods—even if it is not directly their own fault.
Christopher J. Diorio et al discloses a method in his U.S. Pat. No. 7,633,376 entitled “Reporting on Authentication of RFID Tags for Indicating Legitimacy of Their Associated Items” that depends upon a real time database connection to perform the required authentication functions. The present invention does not require a real-time infrastructure as required by the prior art. The prior art is at the mercy of the associated time delays and global database connection uncertainties of their proposed infrastructure.
Christopher J. Diorio et al also discloses methods for secure communication with RFID tags by using noise-encrypted RF carrier signals in U.S. Patent Application Publication Numbers 2005/0058292 and 2007/0177738. Both of these methods involve the transmission of a noise signal that is separated from the received signal waveform by an authorized reader. In contrast, the present invention takes advantage of the close proximity of a transponder to the near field coupler to inject noise into the surrounding environment to thwart eavesdropping attacks.
In U.S. Pat. No. 7,073,712 Jusas et al. teach an RFID encoding/verifying apparatus comprising: a platform for positioning RFID containing stock including barcodes upon; a feeder positioned on said platform for advancing said RFID containing stock: a motor in communication with said feeder for advancing said RFID containing stock a predetermined distance when activated. Although barcodes are scanned and RFID transponders are encoded, the inventors are stuck with having to VOID products that have an RFID transponder that will not encode properly, resulting in waste and disposal of goods. This is in contrast to the present invention that encodes transponders and only uses and applies to the goods fully operational transponders. This patent also fails to address the anti-counterfeiting measures that are needed to assure that valid RFID transponders are not duplicated, as would be the goal of modern day pirates.
In U.S. Pat. No. 7,360,714 Sano et al. teach a label issuing apparatus, comprising: a sensor for detecting a container or a container carrying an RFID tag, the sensor outputting a detection signal when the sensor detects the container; a printer; and an RFID tag reader/writer. This tag encoding solution suffers from the same short comings as the Jusas '712 solution in that the RFID tags are encoded when they are already attached to a target container. Similarly Curt Carrender's U.S. Pat. No. 7,055,750 has the same limitations, plus any RFID transponder failures require at a minimum some amount to rework. This patent also fails to address the anti-counterfeiting measures that are needed to assure that valid RFID transponders are not illegally duplicated.
U.S. Pat. No. 6,848,616 by Tsirline et al., U.S. Pat. No. 7,320,432 by Sureaud et al., U.S. Pat. No. 7,066,667 by Chapman et al., and application 2005/0280537 by Feltz et al. are representative of a broad class of prior art that combines RFID transponder encoding with printing functions and devices. The printing functions are not required for RFID transponders to function. Printing hardware, consumable materials such as ribbons, ink, and paper all unnecessarily add to the cost, weight, size of equipment and the resulting transponders. Adding paper faces to an RFID inlays increase the size and weight by a factor of two, three, or more depending on how large the paper overlay is. The printing mechanisms which in order not to incur a throughput penalty add weight and bulk to tagging equipment that prevents mobility and ease of use that are readily available to the user in the present invention. These patents as with other printer/encoder patents neither anticipate the need for nor solve transponder or item counterfeiting problems. The use of these unsecured devices threatens to compound global counterfeiting problems by encoding transponders in a manner that leaves tags as easy targets for illegal copying and cloning on a massive scale.
In U.S. Pat. No. 6,963,351 inventor Squires proposes the use of identification tags on a supply of consumable items that allows the consumable production equipment to recognize the loaded consumable supply items. The equipment can then initiate a variety of activities that are based on the loaded supply item. In addition, Squires describes a feature that allows the production equipment to write to the identification tag, as in the case of updating the count of remaining supplies. Squire in no way recognizes the scenario of someone maliciously duplicating the tag that identifies the consumable item. With this prior art, the identification tag cannot be assured to represent an authentic supply of consumables. This is opposed to the present invention which uses encryption means on a supply identification tag to assure an authentic supply of consumables and an authentic count of consumables remaining. This level of protection is vital to ensure a secure RFID encoding system, thus preventing counterfeits and protecting brand identity.
In U.S. Patent Application Publication Number 2002/0059880, inventors Klinefelter et al describe a card supply for use with an identification card printing system comprising: a card hopper containing a stack of cards; and a supply circuit mounted to the card hopper and having a memory containing supply information relating to parameters of the card supply. This patent application, as well as the previously mentioned U.S. Pat. No. 6,963,351, in contrast to the present invention fail to address the challenges of using a radio frequency identification transponder to provide information about encoding a supply of unencoded RFID transponders. In the present invention the same RFID interrogator that is used to encode RFID transponders is also capable of reading an RFID transponder mounted to the loaded cartridge, and is also preferably capable of filtering out its response to the interrogation or programming of the RFID transponders supplied by the cartridge.
In published U.S. Pat. No. 7,664,257, inventors Hohberger and Tsirline disclose a system for authenticating consumable media such as plastic cards, ink, or ribbon cartridges that include an anti-piracy deterrent. The inventors disclose the use of RFID transponders with anti-collision protocols but fail to anticipate that the consumable media could also be a supply of RFID transponders. This is evident in the omission of any attempt to filter out or separate responses from transponders that are themselves consumable media, nor do Hohberger and Tsirline address the challenges of encoding such consumable media using the same interrogator that is used to identify the supply of media. The present invention addresses and solves these challenges.
Those skilled in the art know that modern standards for protecting computing devices from cryptographic attacks were not published until the National Institute of Standards and Technology published the Security Requirements for Cryptographic Modules, Federal Information Processing Standards (FIPS) Publication 140-1 on Jan. 11, 1994. Therefore prior art for using authentication of items prior to that date is unlikely to include the scope and depth of the FIPS standard. Furthermore since the prior art listed below is generally for protection of consumable inks and media for printing, the prior art fails to anticipate the need for anything more than a minimal level of security and certainly not to a degree that would require military-grade cryptographic key management and tamper detection countermeasures for the cryptographic module. Such concerns would not come for another decade or more when the technological expertise of commercial counterfeiters has escalated to include the ability to efficiently reverse engineer smart phones and other high value consumer products for mass replication. If the inventors of that prior art had anticipated that their RFID-based authentication schemes were up to the task of protecting RFID tags from counterfeiting operations and unauthorized cartridge refills, then the scope and magnitude of their anti-counterfeiting measures would have been more comprehensive and suitable for preventing counterfeiting of RFID tags on valuable commercial goods. In contrast to the present invention that uses a highly secure single chip cryptographic module, the prior art fails to teach what parts of the RFID tag authentication mechanisms even require protection from attackers, much less how it would be accomplished. The absence of these critical security elements renders the authentication mechanisms disclosed therein completely useless for solving the problems that are for the first time solved by the comprehensive security system of the present invention.
The following list of prominent prior art obviously lacks the anti-counterfeiting foresight or means to do more than superficially authenticate RFID transponders or consumable media materials or to thwart the capabilities of modern counterfeiting operations: U.S. Pat. No. 6,227,643 Intelligent printer components and printing system, May, 2001 by Purcell et al.; U.S. Pat. No. 6,312,106 Method and apparatus for transferring information between a replaceable consumable and a printing device, November, 2001 by Ray Walker; U.S. Pat. No. 6,409,401 Portable printer with RFID encoder, June, 2002 by Petteruti et al.; U.S. Pat. No. 6,687,634 Quality monitoring and maintenance for products employing end user serviceable components, February, 2004 by Borg; U.S. Pat. No. 6,694,884 Method and apparatus for communicating between printer and card supply, February, 2004, by Klinefelter et al.; U.S. Pat. No. 6,708,005 Image forming apparatus and method of controlling memory thereof, March, 2004, by Chihara; U.S. Pat. No. 6,714,745 Image forming apparatus having a plurality of image forming stations, and unit detachably mountable on the apparatus, March, 2004 by Sasame et al.; U.S. Pat. No. 6,722,753 Method and apparatus for checking compatibility of a replaceable printing component, April, 2004, by Helterline et al.; U.S. Pat. No. 6,735,399 Post-launch process optimization of replaceable sub-assembly utilization through customer replaceable unit memory programming, May, 2004, by Tabb et al.; U.S. Pat. No. 6,738,903 Password protected memory on replaceable components for printing devices, May, 2004, by Haines; U.S. Pat. No. 6,748,182 Replacing part containing consumable part and image forming apparatus using replacing part, June, 2004, by Yoshida et al.; U.S. Pat. No. 6,791,704 Method and device for managing printing product resources available in a printer, September, 2004, by Moreau et al.; U.S. Pat. No. 6,793,307 Printer capable of forming an image on a receiver substrate according to type of receiver substrate and a method of assembling the printer, September, 2004, by Spurr et al.; U.S. Pat. No. 6,798,997 Supply ordering apparatus, September, 2004, by Hayward et al.; U.S. Pat. No. 6,802,659 Arrangement for automatic setting of programmable devices and materials therefor, October, 2004, by Cremon et al.; U.S. Pat. No. 6,807,380 Wireless communication system and image forming device, October, 2004, by lida et al.; U.S. Pat. No. 6,808,255 Storage of printing device usage data on a printing device replaceable component, October, 2004, by Haines et al.; U.S. Pat. No. 6,820,039 Facilitating device upkeep, November, 2004, by Johnson et al.; U.S. Pat. No. 6,832,866 Printer or laminator supply, December, 2004, by Klinefelter et al.; U.S. Pat. No. 6,879,785 Image forming apparatus having reusable unit and reusable unit with indicator of record on use, April, 2005, by Ito et al.; U.S. Pat. No. 6,894,711 Thermal transfer recording web roll, May, 2005, by Yamakawa et al.; U.S. Pat. No. 6,932,527 Card cartridge, August, 2005, by Pribula et al.; U.S. Pat. No. 6,954,533 Electronic identification system and method with source authenticity, October, 2005, by Turner et al.; U.S. Pat. No. 6,963,351 Radio frequency identification tags on consumable items used in printers and related equipment, November, 2005, by Squires; U.S. Pat. No. 6,986,057 Security device and method, January, 2006, by Cusey et al.; U.S. Pat. No. 7,018,117 Identification card printer ribbon cartridge, March, 2006, by Meier et al.; U.S. Pat. No. 7,031,946 Information recording medium, noncontact IC tag, access device, access system, life cycle management system, input/output method, and access method, April, 2006, by Tamai et al.; U.S. Pat. No. 7,147,165 Adapting element for programmable electronic holders, December, 2006, by Mongin et al.; U.S. Pat. No. 7,183,505 Adapting element for programmable electronic holders and use in a multipurpose personalization machine February, 2007 Mongin et al.; US application 2002/0062898 RF tag application system, May, 2002, by Austin et al.; US application 2004/0109715 Identification card printer and ribbon cartridge, June, 2004, by Meier et al.; US application 2004/0114981 Identification card printer ribbon cartridge, June, 2004, by Meier et al.; US application 2005/0275708 Radio frequency identification tags on consumable items used in printers and related equipment, December, 2005, by Squires et al.; US application 2006/0123471 Credential production using a secured consumable supply, June, 2006, by Fontanella et al.; US application 2007/0056027 Securely processing and tracking consumable supplies and consumable material, March, 2007, by Nehowig et al.; US application 2007/0057057 SYNCHRONIZATION TECHNIQUES IN MULTI-TECHNOLOGY/MULTI-FREQUENCY RFID READER ARRAYS, March, 2007, by Andresky et al.; WO/2001/057807 METHOD OF AUTHENTICATING A TAG, August, 2001; and WO/2003/019459 METHOD AND APPARATUS FOR ARTICLE AUTHENTICATION, March, 2003.
Prior art methods of controlling counterfeit goods have been similar to how counterfeit bar codes are detected. Counterfeit bar codes have long been a problem when used on tickets for events and ski resorts. The problem was eliminated when a database was kept online and queried for each serialized bar code scanned at the gate. Any second occurrence of the same bar code would be treated as a duplicate (even if it was the original) and the person was refused entry. That same solution cannot be practically used because there is no focal point of entry, duplicates would have to be checked for throughout the world, in flea markets and pawn shops everywhere. This is approach is heavily networked, requires overlord authorizations with multiple retail outlets, feet on the street, and is very expensive and impractical.
If a cryptographic engine could be placed onto an RFID tag, and a challenge-response authentication process can be utilized whereby the challenger can be certain that the challenged RFID tag in fact bears the secret code without directly divulging it, then the authenticity can be confirmed with a very high degree of confidence. However, the scope of this invention disclosure relates to RFID tags that lack a cryptographic engine, and only have publicly observable information.
So, despite recent advances in RFID technology, the state-of-the-art does not fully address the needs of authenticating wireless sensors that are already in broad public use. Large-scale adoption and deployment of RFID transponders depends on brand owners realizing substantial new levels of supply chain security that surpasses the short comings of traditional anti-counterfeiting technologies and methods.
The same novel ideas used to thwart counterfeiting can be used to protect retailers from corporate espionage, at the same time protecting consumer privacy. The questions have been asked, “Would one retailer spy on another to gain market knowledge?” “Would criminals use RFID to select which home they want to break into?” And the answer to both of these questions is yes; these are two examples of the many security risks to both retailers and their customers. This is the risk that is presented by the using the Electronic Product Code (EPC) with the unprotected Unique Item Identifier (UII) in retail supply chains or beyond the public space of the retail sales floor.
The retailer competitive intelligence scenario was foreseen by Ross Stapleton-Gray of Stapleton-Gray & Associates, Inc. and disclosed in the article “Would Macy's Scan Gimbels? Competitive Intelligence and RFID” dated 1 Dec. 2003 in Issue 44 of scip.online. This article was originally presented to the RFID Privacy Workshop at MIT, Nov. 15, 2003 sponsored in part by the MIT Computer Science and Artificial Intelligence Laboratory, MIT Media Lab, and RSA Laboratories.                Competitive intelligence, on the inventory of a retailer, both its type, and turnover, may be of interest to retail competitors, to suppliers, and to manufacturers, as well as to third party companies collecting data for analysis. (Note: EPC scanning in the store would only provide unique identifiers of tagged items, though that is sufficient to identify the manufacturer, and product type—through repeat scans over time, one could gauge product turnover . . . ).        An ideal solution, as far as suppression of “leakage” of information (short of no RFID tags whatsoever) is use of store-specific tags, i.e., tags whose values are understandable only with access to the store's internal information systems. Recoding RFIDs would include:                    reprogramming reprogrammable tags with “store internal” values mapped to the actual EPCs            killing non-reprogrammable tags            affixing tags with “store internal” values to items, either those whose tags were killed, or which have never borne RFID tags, where in-store monitoring is desired                        The first action could be performed at any of several points, such as when stock is received, in inventory, on the shelves, etc., with minimal effort (assuming some RFID management infrastructure including a reader capable of rewriting tags). It could also be performed piecemeal, and over time: any time a store reader encounters a reprogrammable tag with an EPC, it can reprogram it to a store-internal value. The store's information systems would hold the two values (original EPC, and in-store assignment) as equivalent. If killing tags is required by point-of-sale to address consumer privacy concerns, there is no reason it might not be done earlier, e.g., as stock is moved out to the shelves.        
Stapleton's article fails to address the needs of the retailer in a retail setting to hide the EPC code of the tag in an encrypted form, while still allowing the retailer to convert the encrypted identity back to its original EPC code without using a database to map the conversion from a public identity to a store-internal value. Using such a database relies on network timing, many times an open internet connection with non-deterministic network delays.
In U.S. Pat. No. 7,034,689 inventors Bertrand Teplitxky and Lawrence G. Martinelli disclose a product security system, comprising a radio frequency identification tag with long-chain cross-linked polymers that entangle the tag in the packaging such that attempts to open the product container or remove the RFID chip and tuned antenna breaks the antenna and renders the RFID chip inoperable. This prior art filed in 2004 differs from the present invention by focusing on tamper-evident attachment methods instead of a plurality of authentication means and methods disclosed herein.
In U.S. Patent Application Publication Number 20070152033 entitled ‘Merchandise-Integral Transaction Receipt and Auditable Product Ownership Trail’ inventors Hind, Stockton, and Marcia disclose and claim a system for establishing a secure electronic transaction receipt for a product, comprising: a means for accessing a product-integral ownership record to determine a current owner of the product; a means for securely revising the product-integral ownership record to reflect a new owner of the product. The product itself carries a traceable, auditable, non-forgeable, non-reputable proof of ownership. This recorded ownership transfer information provides an electronic receipt, which may be used by the present owner to prove his or her ownership. The prior art does not fully address the needs of the retailer in a retail setting to hide the EPC code of the tag in an encrypted form, while still allowing the retailer to convert the encrypted identity back to its original EPC code when desired (i.e. when a consumer returns a product). Instead, the patent addresses the need for establishing secure electronic transaction receipts for proof of ownership. Useful for product returns, but again, the prior art does not reduce the risk of exposing the retailer's inventory by hiding EPC reads from competitors.
In U.S. Pat. No. 6,995,652 entitled ‘System and method for controlling remote devices” inventors Carrender, Gilbert, Scott, and Clark disclose and claim an RFID control system for controlling an operable object in response to interrogation and control signals from a remote RFID interrogator. The inventors propose a system and method for controlling remote devices utilizing an RFID tag device having a control circuit adapted to render the tag device, and associated objects, permanently inoperable in response to radio-frequency control signals. The prior art claims a novel way to ‘kill’ an RFID tag, however; the prior art does not address the needs of the retailer in a retail setting to hide the EPC code of the RFID tag. To kill a product's RFID tag while still on shelf would eliminate any way for a retailer to track inventory using RFID means.
In U.S. Pat. No. 7,411,503 entitled ‘System and method for disabling data on radio frequency identification tags’ inventors Stewart, Rolin, and Carrender disclose and claim a method for disabling a portion of an RFID tag for privacy, comprising: the performing of an anti-collision procedure to select a tag from a plurality of tags, the selected tag identifying an item for purchase; receiving a cyclical redundancy check and a kill instruction by the tag, the kill instruction including an algorithmically calculated code unique to the selected tag; verifying the kill instruction is valid; and if the kill instruction is valid, disabling the at least a portion of the tag to provide privacy after a purchase. Wherein they state that the disclosed embodiments of the invention are used to permanently disable or destruct a RFID tag so that it is no longer possible to read some or all of the data encoded on the RFID tag. However, the invention does not fully address the needs of the retailer in a retail setting to hide the EPC code of the tag in an encrypted form, while still allowing the retailer to convert the encrypted identity back to its original EPC code when desired (i.e. when a consumer returns a product). Instead, the invention only addresses the need for consumer privacy by permanently disabling portions of the RFID tag. Note that in the present invention, by ‘flipping’ the EPC code of an RFID tag, a consumer's privacy is protected as the RFID tag is not publicly recognized or decodable.
In U.S. Pat. No. 7,425,897 entitled ‘Radio frequency identification (RFID) device with a response stop command’ inventors Fukushima, Takami, and Moritani disclose and claim a RFID device that is capable of stopping and restarting a response via a response stop command. The device is capable of using command data from an external communication equipment to look up response restart data at the restart of a response, deciding a data storage area and content that may be initialized when the restart is possible, and rewriting a data storage portion. The prior art addresses the need to implement a start/stop command response within an RFID tag; another way of ‘killing’ an RFID tag to protect consumer privacy without permanently disabling the RFID tag. However, the invention does not fully address the needs of the retailer in a retail setting to hide the EPC code of the tag in an encrypted form while still allowing the retailer to quickly revert the encrypted tag ID back to the original EPC code.
In U.S. Pat. No. 7,477,151 entitled ‘RFID device with changeable characteristics’ inventors Forster and Sasaki disclose an RFID device that includes a relatively permanent portion and a second alterable or inactivatable portion. Upon the occurrence of some predetermined event, the second portion and/or its coupling to the first portion is physically altered, inactivating it. The first portion may itself be an antennaless RFID device that may be read at short range, and the second portion may be an antenna that, when coupled to the first portion, substantially increases the range at which the first portion may be read. The patent introduces a novel way of altering an RFID tag's read range, which might protect consumer privacy to some degree. However, the invention does not address the needs of a retailer in a retail setting to hide the EPC code of the tag in an encrypted form while still being able to read an RFID tag at a significant distance. If a retailer was only able to read an RFID tag at short range, they lose the inherent benefit of RFID to take inventory quickly and easily.
In U.S. Pat. No. 5,874,902 entitled ‘Radio frequency identification transponder with electronic circuit enabling disabling capability’ inventors Heinrich, Capek, Cofino, Friedman, McAuliffe, Sousa, and Walsh describe an RFID tag which has an enable/disable circuit connected to a critical part of an electronic object/circuit, e.g. a computer mother board. Signals are sent to the tag to change data in the tag memory which causes the enable/disable tag circuit to control the critical part to enable and disable the electric circuit. The prior art is a method for altering the RFID tag in an ‘on and off’ manor by enabling and disabling the vital circuitry within the RFID tag chip. The novel ideas of the prior art do not address the need of the retailer in a retail setting to hide the EPC code of the tag in an encrypted form, while still allowing the retailer to convert the encrypted identity back to its original EPC code when desired. To turn an RFID tag ‘off’ while still attached to a product in a retail setting would eliminate the benefit of the retailer to quickly and easily take RFID readings for inventory.
In U.S. Pat. No. 6,025,780 entitled ‘RFID tags which are virtually activated and or deactivated and apparatus and methods of using same in an electronic security system’ inventors Bowers and Clare disclose and claim an electronic security system that uses a set of predefined RFID tags. Each tag includes unique tag information which is logged into a computerized database that contains a record for each of the tags in the set. When an RFID tag is detected, the database records are compared to the tag information and an appropriate database response is output. A deactivation event may be performed on the tag when legitimate access is obtained to the tagged article. The deactivation event may be electronic, physical or virtual. In summary, the prior art comprises a database system to recognize when and how to disable a tag. Like most other prior art in this area, the inventors have discovered a novel way of disabling an RFID tag, but have not addressed both the needs of the retailer and the consumer by hiding the publicly decodable EPC information while not disabling the RFID tag from being read.
In U.S. Pat. No. 6,181,248 entitled ‘Deactivatable article security label with data carrier function’ inventor Fockens discloses and claims an article security label comprising a resonance circuit including a coil and a capacitor, and a semiconductor memory and switching circuit connected to the resonance circuit for activating and deactivating the label, the semiconductor memory and switching circuit having a memory function and a switch function, wherein the open or closed state of the semiconductor memory and switching circuit determines whether the label is activated or deactivated. The inventor states that the invention relates to an article security label adapted for repeated activation and deactivation using a semiconductor memory element. Essentially the invention comprises a way to disable and enable portions of a security label (e.g. RFID tag). The invention falls short in not being able to hide the public EPC code while still allowing the label to be read.
In U.S. Pat. No. 6,933,848 entitled ‘System and method for disabling data on radio frequency identification tags’ inventors Stewart, Rolin, and Curtis disclose and claim an RFID system, wherein one method, an RFID tag is identified and its identity is confirmed. Verification that a prerequisite event has occurred is obtained, occurrence of which is required prior to disablement of the data. A destruct instruction is transmitted to the RFID tag. The RFID tag verifies that the destruct instruction is valid and disables the data upon verifying validity of the destruct instruction. The tag may disable the data by erasing the data, disabling the data, auto-destructing, or performing any operation that makes the data unreadable. The prior proposes a novel way to disable a tag, but does so permanently such that the RFID tag cannot be reactivated with preexisting data intact. The invention falls short in many ways of ensuring retailer and consumer privacy. For example, no longer is an RFID tag able to be read for product returns.
In U.S. Pat. No. 7,012,531 entitled ‘Product label, method of producing product labels and method for identifying products in a contactless and forgery-proof manner’ inventors Fries and Houdeau disclose and claim product label (i.e. RFID tag) comprising: an antenna operatively connected to said semiconductor chip, said antenna having a cross-section and a predetermined breaking point with the antenna being destructible at the predetermined breaking point. The result is a method that mechanically alters the antenna on an RFID tag, intended for producing product labels and a method for contactless, forgery-proof identification of products. However, the invention does not fully address the needs of the retailer in a retail setting to hide the EPC code of the tag in an encrypted form, while still allowing the retailer to convert the encrypted identity back to its original EPC code when desired (i.e. when a consumer returns a product).
In U.S. Patent Application Publication Number 20020067264 entitled ‘Tamper Evident Radio Frequency Identification System And Package’ inventor Soehnlen discloses and claims a system to recognize a breach of integrity of a package, wherein an attempt to enter the package disables the package's identification tag and will cause the identification tag, thereafter interrogated, to fail to send a signal or will send a signal that is different from the predetermined signal. Such a novel idea may partially address the concerns of consumer privacy by disabling the RFID tag. However, the invention does not address the needs of a retailer to hide the publicly decodable EPC identifier while the packages are stocked in the retail store.
In U.S. Patent Application Publication Number 20050242957 entitled ‘Deactivating a data tag for user privacy or tamper-evident packaging’ inventors Lindsay et. al., U.S. Patent Application Publication Number 20050275540 entitled ‘Secure radio frequency identification device for identity booklet or object to be identified’ inventors Halope et. al., U.S. Patent Application Publication Number 20060017570 entitled ‘Enabling and disabling a wireless RFID portable transponder’ inventors Moskowitz et. al., U.S. Patent Application Publication Number 20060061475 entitled ‘System and method for disabling RFID tags’ inventors Moskowitz et. al., U.S. Patent Application Publication Number 20060132313 entitled ‘System and method for altering or disabling RFID tags’ inventor Moskowitz, and in U.S. Pat. No. 7,629,888 entitled ‘RFID device with changeable characteristics’ inventors Forster et. al. disclose novel ideas which mechanically alter the antenna on an RFID tag to protect consumer privacy. Even if the alteration is reversible, the prior art fails to address the privacy needs of a retailer to hide the publicly decodable EPC identifier while the RFID tag and associated product are stocked by the retailer. To disable the RFID tag while on shelf would eliminate the retailer from easily and quickly taking inventory at the item level.
In U.S. Patent Application Publication Number 20080181398 entitled ‘METHODS AND APPARATUS FOR ENHANCING PRIVACY OF OBJECTS ASSOCIATED WITH RADIO-FREQUENCY IDENTIFICATION TAGS’ inventor Pappu discloses and claims a method for encoding a plurality of radio-frequency identification (RFID) tags, each of the RFID tags having a tag identifier, the method comprising: (a) generating a key; (b) encrypting each of a plurality of tag identifiers, using the key, (c) selecting a threshold value, T, less than the number of tag identifiers comprising the plurality of tag identifiers; (d) dividing the key into a plurality of key shares such that retrieval of T or more key shares allows the key to be reconstituted; and (e) encoding each of the plurality of RFID tags with a concatenation of the encrypted tag identifier and one of the key shares. The novel idea would not be able to efficiently handle the throughput of encrypting and decrypting consumer package goods at the item level. The number of keys necessary for such a task would require an enormous database, constantly updated for each new RFID introduced, to be referenced each time a tag is decrypted. The time required to do so over a global, open network connection would put a retailer at a major economical disadvantage.
Most prior art addresses consumer privacy concerns by rendering portions of an RFID tag inoperable. Other prior art alters an RFID tag's read performance by mechanically altering its antenna. Though some of these mechanical methods are reversible, they don't protect the retailer from competitor reads. Prior art that disclose encryption methods for hiding an RFID tag's unique identity generally do not recognize the throughput and scalability requirements of tagging consumer package goods at the item level. A retailer is not able to afford the time to query a real time database over an open, global network connection. The present invention does not require such a real-time infrastructure and the associated time delays and connection uncertainties. In conclusion, none of the prior art introduces novel ideas to efficiently and cost effectively encrypt an RFID tag's unique numbering to protect the retailer from competitor reads and to protect the consumers' privacy.
International Publication Number WO2009/052059 discloses an RFID tag authentication method using publicly readable numbers, encryption, and encrypted passwords. This invention fails to solve the real world authentication problems because it is vulnerable to cyber attacks. Inventor Oberle's method fails to provide for cryptographic key changes or controls on the pools of seed values, whereby exposing that solution to multiple forms of cyber attack. This is in contrast to the present invention that anticipates that some attacks will be successful and provides for frequent key updates that are synchronized with downstream readers using an index number that is stored in the tag's memory. Oberle does not provide any type of index number means. Oberle solves the replay attack problem by adding a counter to the tag whereas the present invention uses an EPC tag's random number generator and cover coding.
US Patent Application US 2007/0052523 teaches an RFID tag encryption system and method using an index and a header in plaintext form at the server/reader level, but is stored on the RFID tag as a combined encrypted ID. This is in contrast to the present invention that uses an unencrypted plaintext index number stored on the RFID tag that is used by the reader as an index into an indexed table of cryptographic keys for a cipher to produce passwords to access or kill the tag. Unlike the present invention, this prior art does not disclose tag passwords or secure memory.
US Patent Application US2006/0087407 teaches a solution for RFID tags to be password carriers for RFID readers to access other RFID tags transported in the same shipment. It describes the problem to be solved, but fails to disclose block ciphers, an indexed table of cryptographic keys, or a plaintext index stored on a tag that is to be accessed, authenticated, or killed.